BNB Chain is exploited; hackers made off with over $100 million worth of Binance Coin
At least $2 billion has been lost to crypto attacks this year related to cross-chain bridges.
Hackers took over the flaws in the BSC Token Hub bridge to forge messages and mint new BNB tokens.
The tokens did not belong to BSC users, and the exploit affected no user funds.
The Binance team was able to arrest this hack before it could affect investors on the Binance platform.
The Binance team vouched to adopt a new on-chain governance mechanism to combat and protect against possible future attacks and expand the number of validators.
Hackers made off with over $100 million worth of Binance Coin in what seems to be the most recent exploit in digital assets, further destabilizing an already dreadful year for cryptocurrencies.
The world's largest cryptocurrency exchange, Binance, confirmed this event hours after prominent crypto figures had taken to Twitter late Thursday, talking of a $600 million hack.
This security breach is among the biggest downturns in cryptocurrency history, adding to the several hacks recorded this year.
However, the Binance team, with the help of validators and other security services, was able to arrest this hack before it could affect investors on the Binance platform.
On October 6, an undisclosed hacker(s) seized almost $560 million from the BNB cross-chain bridge, also called the BSC Token Hub. According to SlowMist, the hacker moved more than $100 million of this sum to other chains. The hacker's address on the BNB Chain had about $430 million in BNB tokens left.
Taking advantage of flaws in the cross-chain bridge, the perpetrator(s) tricked Binance into releasing 1 million BNB tokens. After the first exploit was successful, they sent another 1 million BNB tokens to a controlled address using the same trick, Sam Sun, head of security at Paradigm, pointed out.
Binance stated that "a total of 2 million BNB cryptocurrency was withdrawn" by hackers, valuing the theft at $580 million.
Cross-chain bridge hacks have become rampant in the past years; they are a desirable target for cybercriminals due to their tendency to accumulate significant quantities of locked assets over several blockchains.
However, the news of Binance being hit by a $100 million hack is the latest among a series of attacks on the crypto sector this year.
Binance blockchain took the unusual move of suspending transactions on the BNB Token Hub Bridge for about 8 hours last Thursday due to the exploit. The hacker could only transfer between $100M and $110M off-chain, of which at least $7M has already been frozen, according to Binance.
source: Twitter
Since the hijacked tokens were newly created by the attacker and did not pre-exist in BSC users' wallets, no user funds were impacted by the exploit.
The "potential exploit" could have targeted hundreds of millions of dollars in crypto; BNB Chain prevented the incident from spreading by contacting the blockchain's "validators," it said in a tweet; "We have asked all validators to suspend BSC temporarily. We are humbled by the speed and coordination from the community to freeze cash."
However, Binance commended the validators for their rapid response during the attack.
According to a tweet from the official BNB chain account, the Chain has resumed operations after the software upgrade that froze the hackers' address.
BNB Chain was able to resume operations at around 06:40 UTC when chain validators agreed to close the off-chain vulnerability used by hackers.
source: Twitter
While the BNB Chain has already halted funds held in the hacker's wallet from further transfers, the team assured the community of several actions it would take next, including:
Conducting governance vote to formalize the decision on what to do with the funds; whether to freeze funds in the hacker's address on BNB Chain or to "auto-burn" the tokens.
Offering a $1 million reward to white-hat hackers who find significant bugs in the future.
Rewarding 10% of recovered funds to anyone who exposes hackers.
Author: M. Olatunji, Gate.io Researcher
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.